Context−Based Access Control and IPSec
Because CBAC is configured on perimeter devices that protect internal devices, one question always arises: Is CBAC compatible with IPSec? And the answer is, in a limited fashion. If the router is running both CBAC and IPSec, it must be configured as an IPSec endpoint. For CBAC to function properly, the data within the packets must be examined, and if this data is encrypted, CBAC cannot examine the payload, which causes CBAC to cease functioning.
As mentioned in the preceding paragraph, when CBAC and IPSec are enabled on the same router, that router must be an IPSec end point. CBAC cannot accurately inspect the payload of packets that have been encrypted with IPSec because the protocol number in the IP header of the packet is not TCP or UDP and CBAC inspects only TCP and UDP packets. This should, however, be expected; the purpose of encryption is to prevent unauthorized deciphering of the packets in the first place.
Port Application Mapping
Port Application Mapping (PAM) allows security administrators to customize or change TCP and UDP port numbers for services or applications used with CBAC. This gives networks the flexibility to support services that use ports that are different from the registered and wellknown port numbers commonly associated with certain applications. Port Application Mapping should be used under these conditions:
-To apply a nonstandard port number to a service or application
-When host or subnets use a port number for an application that is different from the default port number associated with the application in the PAM table
-When different hosts or subnets use the same port number for different applications
Port Application Mapping creates and maintains a table of default port−to−application mapping information on the router. The table that is created is populated with system−defined maps by default at boot time; however, the table can be modified to include host−defined mappings as well as user−defined mappings. PAM supports host− or subnet−based port mapping, which allows you to apply PAM to a single host or subnet using standard access control lists. The PAM table information enables Context−Based Access Control services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic that was using only the well−known ports associated with an application.PAM entries can consist of three different types of mappings: system−defined mapping entries, user−defined mapping entries, and host−specific mapping entries. Each of these mapping entries will be discussed in greater detail in the following sections.
After the router loads, PAM populates a table of system−defined mapping entries with the well−known or registered port mapping information. The PAM table entries contain all the services that are supported by CBAC and needed to function properly. The system−defined mapping information cannot be deleted or changed, but you can create host−defined mappings, which in effect would override the system−defined parameters. Table 4.1 details each of the system−defined services.
When the network includes applications that use nonstandard ports, the security administrator must configure user−defined mapping entries into the PAM table. Each user−defined mapping entry requires a table entry for the application. User−defined mapping entries can also specify a range of ports for an application to use by configuring a separate entry in the PAM table for each port number of the range in succession. If a user−defined mapping entry is entered multiple times, it overwrites the previous entry in the table. An example of a user−defined mapping entry would be if HTTP services ran on the nonstandard port of 4010 instead of the system−defined port 80. In this case, PAM would be used to map port 4010 with HTTP services. You are not allowed to map a user−defined entry over a system−defined entry, and the router will complain with an error message.
Host−specific port mapping entries create port application mapping on a per−host or per−subnet basis. User−defined mapping entries cannot overwrite system−defined mapping entries in the PAM table; however, host−specific port mapping allows you to override a system−defined entry in the PAM table. Using host−specific port mapping, you can use the same port number for different services on different hosts. For example, a security administrator can assign port 1717 to FTP for
one host while assigning port 1717 to Telnet for another host. Host−specific port mapping also lets you configure mapping entries on a per−subnet basis. This allows security administrators to apply PAM to a specific subnet when that subnet runs a service that uses a port number that is different from the port number defined in the default mapping information. This is similar to host−specific port mapping, but it works on a per−subnet basis and not a per−host basis.